Secure data transmission in modem computer networks may be employed through the use of a private key shared among the sending and receiving parties. Provided that the private key itself remains secure, deciphering of data encoded with the private key is virtually computationally impossible, should the encrypted data be intercepted. Accordingly, the strength of the private key cryptographic system depends, among other things, on the manner in which the private key is distributed. Should the private key be intercepted, e.g., during transmission between the parties, resulting ciphertext may be exposed.
FIG. 1 shows one form of a conventional key distribution process. As shown in FIG. 1, for a party, Bob, to decrypt ciphertext encrypted by a party, Alice, Alice or a third party must share a copy of the key with Bob. This distribution process may be implemented in a number of conventional ways including the following: 1) Alice can select a key and physically deliver the key to Bob; 2) a third party can select a key and physically deliver the key to Bob; 3) if Alice and Bob both have an encrypted connection to a third party, the third party can deliver a key on the encrypted links to Alice and Bob; 4) if Alice and Bob have previously used an old key, Alice can transmit a new key to Bob by encrypting the new key with the old key; and 5) Alice and Bob may agree on a shared key via a one-way mathematical algorithm, such as Diffie-Helman key agreement.
Unfortunately, each of these distribution methods are vulnerable to interception of the distributed key by an eavesdropper Eve, or by Eve “cracking” the supposedly one-way algorithm. Eve can eavesdrop and intercept, or copy, a distributed key and then subsequently decrypt any intercepted ciphertext that is sent between Bob and Alice. In conventional cryptographic systems, this eavesdropping may go undetected, with the result being that any ciphertext sent between Bob and Alice is compromised.
To combat these inherent deficiencies in the key distribution process, a key distribution technique called quantum cryptography has been developed. Quantum cryptography employs quantum systems and applicable fundamental principles of physics to ensure the security of distributed keys. Heisenberg's uncertainty principle mandates that any attempt to observe the state of a quantum system will necessarily induce a change in the state of the quantum system. Thus, when very low levels of matter or energy, such as single or individual photons, are used to distribute keys, the techniques of quantum cryptography permit the key distributor and receiver to determine, with certainty, whether any eavesdropping has occurred during the distribution of the key. Quantum cryptography, therefore, prevents an eavesdropper, like Eve, from copying or intercepting a key that has been distributed from Alice to Bob without a significant probability of Bob's or Alice's discovery of the eavesdropping.
One quantum key distribution (QKD) scheme involves a quantum channel, through which Alice and Bob send keys using individual polarized or phase encoded photons, and a public channel, through which Alice and Bob send ordinary non-encoded messages. The quantum channel is a path, such as through air or an optical fiber, that attempts to minimize the QKD photons' interaction with the environment. The public channel may include a channel on any type of communication network such as a Public Switched Telephone network, the Internet, or a wireless network. An eavesdropper, Eve, may attempt to measure the photons on the quantum channel. Such eavesdropping, however, will induce a measurable disturbance in the photons in accordance with the Heisenberg uncertainty principle. Alice and Bob use the public channel to discuss and compare the photons sent through the quantum channel. If, through their discussion and comparison, they determine that there is no evidence of eavesdropping, then the key material distributed via the quantum channel can be considered completely secret.
FIGS. 2 and 3 illustrate a scheme 200 for quantum key distribution in which the polarization of each photon is used for encoding cryptographic values. Initially, Alice's quantum key generator 205 generates random bit values and bases and then encodes the bits as polarization states in sequences of individual photons sent via the quantum channel 210 (see row 1 of FIG. 3). Alice does not tell anyone the polarization of the photons she has transmitted. Bob's quantum key generator 215 receives the photons and measures their polarization along either a rectilinear or diagonal basis that is randomly selected with substantially equal probability. Bob records his chosen basis (see row 2 of FIG. 3) and his measurement results (see row 3 of FIG. 3). Bob and Alice then discuss, via a public channel 220, which basis Bob has chosen to measure each photon (e.g., row 2 of FIG. 3). Bob, however, does not inform Alice of the result of his measurements (e.g., row 3 of FIG. 3). Alice tells Bob, via the public channel, whether he has made the measurement along the correct basis (see row 4 of FIG. 3). Then, in a process referred to as “sifting”, both Alice and Bob discard all cases in which Bob has made the measurement along the wrong basis and keep only the ones in which Bob has made the measurement along the correct basis (see row 5 of FIG. 3).
Once the photons have been sifted, Alice and Bob adopt the remaining polarizations, or some algebraic combination of their values, as secret bits of a shared secret key, interpreting horizontal or 45 degree polarized photons as binary 0's and vertical or 135 degree photons as binary 1's (see row 6 of FIG. 3). The keys are then used by data transmitter 225 and data receiver 230 to encrypt and decrypt subsequent data transmissions via ciphertext channel 235.
Unfortunately, due to the very quantum characteristics which enable secure generation of the keys, conventional QKD techniques are physically limited to distribution over a single span or hop, typically on the order of 80 km or less. For transmissions of longer than about 80 km, optical amplification is typically required. During such amplification, however, the quantum state of the transmitted key generation photons is modified, thereby disrupting key generation.